Privacy Policy

Effective: April 22, 2026 · Last updated: April 22, 2026

This Privacy Policy explains how Various Ventures, LLC, a Texas limited liability company ("Various Ventures," "we," "us," or "our"), collects, uses, discloses, and protects personal information in connection with Brimbox, a product of Various Ventures available at brimbox.ioand through related applications and APIs (collectively, the "Service").

This Policy applies to: (a) users who create an account and use the Service ("Users"); (b) the personal data of business contacts that Users upload into the Service ("Contacts"); and (c) visitors to our marketing website. If you are a Contact and wish to exercise rights over your information, see Section 9 or contact the User who uploaded you; we will cooperate with the User and honor regulator-required responses where applicable.

1. Summary

Brimbox helps you send email sequences through your own email account. We store the data you provide (contacts, templates, sequences), the credentials needed to send on your behalf (OAuth tokens or encrypted SMTP/IMAP passwords), and the delivery events your sequences produce (opens, clicks, replies, bounces). We do not sell your personal information or your contacts' personal information. We do not share your contact lists with advertising networks or data brokers. You can export everything and delete your entire account from your settings at any time.

2. Who We Are (Controller)

For purposes of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and comparable laws, the controller of personal data processed through the Service is Various Ventures, LLC. Contact: privacy@brimbox.io.

For personal data of your business Contacts, Users are the controller and Various Ventures is the processor. The terms of that relationship are set out in our Terms of Service and in any Data Processing Addendum we have entered into with the User.

3. Information We Collect

3.1 Account information.

  • Name, email address, password hash (we do not receive or store plaintext passwords).
  • Authentication metadata (provider identifier when you sign in with Google, session tokens, last-login timestamps).
  • Subscription plan, Stripe customer identifier, and billing status. Payment card details are handled by Stripe, Inc. under PCI DSS controls; we never see or store your full card number.

3.2 Content you submit.

  • Contact records you import or create (name, email, company, title, tags, and any custom fields you define).
  • Templates, sequence definitions, step contents, notes, and other material you save inside the Service.

3.3 Email-provider credentials.

  • Google OAuth access and refresh tokens when you connect Gmail. Scopes are limited to sending mail and reading inbox metadata for reply and bounce detection. We do not read mail outside what those scopes require.
  • Microsoft OAuth tokens when you connect a Microsoft 365 account.
  • SMTP and IMAP host, username, and password when you connect a custom mail server. Passwords are encrypted at rest using AES-256-GCM with keys managed by Various Ventures. We never log or display plaintext credentials.

3.4 Delivery and engagement events.

  • Send records (recipient address, timestamp, status, provider message ID, subject line).
  • Open events generated when a recipient loads a tracking pixel we embed in outbound messages.
  • Click events generated when a recipient clicks a link that the Service has rewritten for tracking.
  • Reply and bounce signals obtained by querying your connected inbox for messages from Contacts you have enrolled in sequences, or for Delivery Status Notifications (mailer-daemon messages). We query the inbox only for addresses and subjects tied to sequences you actively run; we do not read unrelated mail.

3.5 Technical and usage data.

  • IP address (used for signup validation, rate-limiting, abuse detection, and fraud prevention).
  • User agent, device type, browser, operating system, and time-zone.
  • Standard server access logs (request URL, status code, latency, referrer, user agent, IP).
  • Product-usage telemetry strictly tied to delivering the Service (feature counters, error traces, session-scoped identifiers).

3.6 AI-assisted lookup data.

When you use the LinkedIn Grab feature, we send the LinkedIn URL you provide and a short extracted text snippet to Anthropic, PBC in order to research and predict the contact's email address. Anthropic processes the request as our subprocessor under its terms. We do not use the resulting predictions to train any machine-learning model.

4. How We Use Information

  • To provide, maintain, secure, and improve the Service.
  • To send email on your behalf through your connected provider, record delivery events, and detect replies and bounces so sequences auto-stop when appropriate.
  • To process payments, manage subscriptions, and administer accounts.
  • To communicate with you about the Service (service notices, receipts, security alerts, and administrative messages). You cannot opt out of operational messages while your account is active.
  • To prevent, detect, investigate, and respond to fraud, abuse, spam, security incidents, and violations of the Terms of Service.
  • To meet legal, regulatory, audit, accounting, and tax obligations.
  • To analyze aggregate, de-identified product metrics to improve features and business operations. We do not combine these metrics with your Contacts' personal information to identify individuals.

We do not sell or rent personal information. We do not use Users' Contacts for our own marketing. We do not use Customer Content to train machine-learning models.

5. Legal Bases for Processing (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

  • Contract. Processing necessary to provide the Service you signed up for and to perform the Terms.
  • Legitimate interests. Processing necessary for our legitimate interests in securing and operating the Service, preventing fraud and abuse, developing new features, enforcing the Terms, and pursuing lawful business purposes, where those interests are not overridden by your rights.
  • Consent. For optional integrations you voluntarily connect (for example, your Gmail or Microsoft account) and for any marketing communications you opt into. You may withdraw consent at any time.
  • Legal obligation. When we must process personal data to comply with applicable law or respond to lawful requests from authorities.

6. How We Share Information

We share personal information only as described below:

  • Subprocessors. With service providers who help us run the Service, bound by written contracts containing confidentiality and data-protection obligations:
    • Vercel, Inc. — hosting, edge network, and build infrastructure (United States).
    • Neon, Inc. — managed PostgreSQL database hosting (United States).
    • Stripe, Inc. — payment processing, invoicing, and tax calculation (United States).
    • Resend, Inc. — delivery of our transactional email (password reset, receipts, and similar messages sent from brimbox.io).
    • Anthropic, PBC — AI-assisted email-address prediction for the LinkedIn Grab feature (United States).
    • ImprovMX — inbound email forwarding for our support@brimbox.io alias.
    • Google LLC and Microsoft Corporation — only when you voluntarily connect an account through OAuth, strictly for the scopes you authorize.
  • Business transfers. If Various Ventures is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections. Continued use of the Service after any such transfer is governed by the privacy policy of the acquirer.
  • Legal process and safety. We may disclose personal information when we believe in good faith that disclosure is required to comply with a subpoena, court order, or other valid legal process; to enforce the Terms; to protect the rights, property, or safety of Various Ventures, our users, or the public; or to investigate fraud or security issues.
  • With your direction. When you direct us to share data with a third party (for example, by connecting an integration or exporting data).

We do not sell personal information, share personal information for cross-context behavioral advertising, or provide data to data brokers.

7. Data Retention

  • Active accounts. We retain personal information for as long as your account is active and for the time needed to provide the Service.
  • Account deletion. When you delete your account, we begin deleting your user record and cascade- deleting contacts, sequences, templates, send history, event history, settings, and email connections within thirty (30) days, except where we are required to retain certain information longer (for example, tax and financial records retained by Stripe and/or our accountants; log data retained for security and fraud investigation purposes in accordance with our log-retention schedule).
  • Backups. Routine encrypted database backups may retain deleted content for up to thirty (30) days before rotation.
  • Aggregated data. We may retain de-identified or aggregated data (data that cannot be reasonably re-associated with an individual) indefinitely.

8. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

  • TLS 1.2+ encryption for data in transit.
  • Encryption at rest for the production database and for stored secrets (OAuth tokens, SMTP/IMAP passwords via AES-256-GCM).
  • Password hashing with bcrypt for any password-based credentials we store.
  • Principle-of-least-privilege access for production systems, with audit logging of access.
  • Environment separation between production, staging, and development.
  • Rate limiting, automated abuse detection, and continuous monitoring for anomalies.
  • Scoped OAuth tokens, revoked on disconnect or account deletion.

No security program is perfect. If you suspect unauthorized access to your account or to our systems, notify us immediately at security@brimbox.io.

9. Your Rights

Depending on where you reside, you may have some or all of the following rights with respect to your personal information:

  • Access. Obtain a copy of the personal information we hold about you.
  • Correction. Correct inaccurate or incomplete personal information.
  • Deletion. Request deletion of your personal information.
  • Portability. Receive your personal information in a structured, machine-readable format and transmit it to another controller.
  • Restriction and objection. Restrict or object to certain processing, including processing for direct marketing.
  • Withdrawal of consent. Withdraw consent for processing that is based on consent, without affecting the lawfulness of processing before withdrawal.
  • Non-discrimination. Exercise these rights without receiving discriminatory treatment.
  • Lodge a complaint.Complain to a supervisory authority in the EU/EEA, the Information Commissioner's Office in the UK, or an equivalent regulator in your jurisdiction. We invite you to contact us first so we can try to resolve your concern.

Most rights are self-serve from Settings → Account: export your data as JSON, correct your profile, or delete your account. For anything you cannot do yourself, email privacy@brimbox.io. We may ask for information to verify your identity before acting on a request. We will respond within the timeframe required by applicable law (typically 30 days, extendable for complex requests).

California residents have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act, including the right to know categories and specific pieces of personal information collected, the right to correct, the right to delete, the right to limit use of sensitive personal information, and the right to opt out of sale or sharing for cross-context behavioral advertising. We do not sell or share personal information for cross-context behavioral advertising.

10. International Data Transfers

Various Ventures operates from the United States, and our infrastructure providers are primarily located in the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (and, where applicable, the UK International Data Transfer Addendum), as implemented in our agreements with subprocessors.

11. Cookies and Similar Technologies

We use a small number of first-party cookies that are strictly necessary for the Service to function:

  • Session cookies for authentication (keeping you signed in).
  • CSRF protection cookies to prevent cross-site request forgery.
  • Preference cookies to remember UI choices such as time zone or notification settings.

We do not use cookies for cross-site advertising. If your browser blocks essential cookies, the Service will not function properly. The email tracking pixel and link-rewriting used in sequences are tools you deploy against your own Contacts as the controller of that data; using them is at your discretion and is governed by your compliance with applicable law.

12. Children

The Service is not directed to children under the age of 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, contact privacy@brimbox.io and we will promptly delete the information.

13. Automated Decision-Making

We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects on you.

14. Do Not Track

Our Service does not respond to Do Not Track browser signals at this time, because there is no common industry standard for interpreting them. We do not use tracking technologies that would meaningfully be affected by such signals.

15. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where required by law or appropriate, notify active users by email or in-product notice at least fourteen (14) days before the change takes effect. Your continued use of the Service after an update indicates acceptance of the updated Policy.

16. Contact

For privacy questions, data-subject requests, or to exercise your rights: privacy@brimbox.io.

For security reports: security@brimbox.io.

General support: support@brimbox.io.

Legal entity: Various Ventures, LLC, a Texas limited liability company. Brimbox is a product of Various Ventures, LLC.